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EXAMINER'S AMENDMENT 

1. An examiner's amendment to the record appears below. Should the 
changes and/or additions be unacceptable to applicant, an amendment may 
be filed as provided by 37 CFR 1.312. To ensure consideration of such an 
amendment, It MUST be submitted no later than the payment of the issue 
fee. 

Authorization for this examiner's amendment was given in a telephone 
interview with Denis Maloney on 04/14/06. 

The application has been amended as follows: 

1 . (Currently Amended ) The data collector of claim 2 wherein the redundant network is a 
leased line. A data coll e ctor compris e s: 

a computing d e vic e that sampl e s pack e t traffic ov e r a n e twork, and which accumulate s 
and coll e cts statistical information about th e pack e t traffic on th e n e twork; and 

a port to link th e data coll e ctor ov e r a r e dundant n e twork that do e s not carry th e pack e t 
traffic to d e liv e r th e accumulat e d and coll e ct e d statistical information about th e n e twork pack e t 
traffic to a c e ntral control c e nt e r. 

2. (Currently Amended) A data collector to sample packet traffic, accumulate, and collect 
statistical information about network flows comprises: 

a computing device that executes a computer program product stored on a computer 
readable medium comprising instructions to cause the computing device to: 

collect statistical information pertaining to network packets received by the data 
collector; 
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monitor a parameter of traffic flow at multiple levels of granularity to trace the 
source of an attack, with instructions to monitor further comprising instructions to: 

divide the traffic flow into buckets that track counts of how many packets the data 
collector examines for a given parameter; and 

adjust the number of buckets as the number of buckets approaches a bucket 
threshold, by combining several buckets into fewer buckets or dividing a bucket into 
more buckets; 

maintain the statistical information in a log; and wherein the data collector further 
comprises: 

a port to link the data collector over a redundant network that does not carry the packet 
traffic to deliver collected statistical information data about the network packets to a central 
control center upon demand by the central control center. 

4. (Currently Amended) The data collector of claim 2 wherein the redundant network is a 
telephone network or d e dicat e d l e ased t e l e phon e lin e. 

7. (Currently Amended) The data collector of claim 2 wherein the computer program 
product in the data collector executes rules to analyze the collected statistical information 
statistics and produces a message that raises an alarm to the control center. 

1 1 . (Currently Amended) A method of collecting data from sampled network traffic, 
pertaining to network traffic flows comprises: 

samphng the network traffic and generating statistical information pertaining to the 
sampled network packets; and 

monitoring a parameter of traffic flow at multiple levels of granularity to trace the source 
of an attack, with monitoring further comprising: 

dividing the traffic flow into buckets that track counts of how manv packets a data 
collector or gatewav examines for a given parameter; and 

adjusting the number of buckets as the number of buckets approaches a bucket threshold, 
bv combining several buckets into fewer buckets or dividing a bucket into more buckets : 
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communicating th e g e nerat e d data the generated statistical information over a redundant 
network that does not carry the packet traffic to dehver the generated statistical information data 
pertaining to the network packets to a central control center in response to a query for the 
generated statistical information from the central controller. 

12. (Currently Amended) The computer program product of claim 23 wherein layer 3-7 
analysis further comprises instructions to: 

monitor network traffic for unusual levels of IP fragmentation, or fragmented IP packets 
with bad or overlapping fragment offsets. Th e m e thod of claim 1 1 wh e r e in g e n e rating fiirth e r 
compris e s: 

monitoring a param e t e r of traffic flow at multipl e lev e ls of granularity. 

13. (Currently Amended) The computer program product of claim 23 wherein layer 3-7 
analysis fiirther comprises instructions to: 

monitor network traffic for IP packets with bad source addresses or ICMP packets with 
broadcast destination addresses. Th e m e thod of claim 12 wh e r e in monitoring th e param e t e r nt 
multipl e l e v e ls of granularity is us e d to trac e th e sourc e of an attack. 



14. (Currently Amended) The computer program product of claim 23 wherein laver 3-7 
analysis fiirther comprises instructions to: 

monitor network traffic for transport control protocol (TCP) or user datagram protocol 
(UDP) packets addressed to unused ports. Th e m e thod of claim 13 wh e r e in monitoring fiirth e r 
compris e s: 

dividing th e traffic flow into buck e ts that track counts of how many pack e ts a data 
coll e ctor or gat e way e xamin e s for a giv e n paramet e r; and 

adjusting th e numb e r of buck e ts as th e numb e r of buck e t s approach e s a buck e t threshold, 
by combining s e v e ral buck e ts into f e wer buck e t s or dividing a buck e t into mor e buck e ts. 
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21. (Currently Amended) A computer program product residing on a computer readable 
medium for sampling network packet traffic to accumulate, and collect statistical information 
about network flows, comprises instructions for causing the a device to: 

collect network packets and produce statistical information pertaining to collected 
network packets; 

monitor a parameter of traffic flow at multiple levels of granularity to trace the source of 
an attack, with instructions to monitor further comprising instructions to: 

divide the traffic flow into buckets that track counts of how many packets a data collector 
or gateway examines for a given parameter; 

adjust the number of buckets as the number of buckets approaches a bucket threshold, by 
combining several buckets into fewer buckets or dividing a bucket into more buckets; 

parse information in the collected packets and maintain the information in a log; and 

send the statistics statistical information to a central control center over a redundant 
network that does not carry the packet traffic in response to a query from the central controller. 

22. (Currently Amended) The computer program product of claim 9 wherein layer 3-7 
analysis ftirther comprises instructions to: 

monitor network traffic for transmission control protocol (TCP) packets with unusually 
small window sizes, which indicate server loading due to an attack, or transmission control 
protocol (TCP) ACK packets that do not belong to a known connection. Th e comput e r program 
product of claim 21 furth e r comprising instructions to: 

monitor a param e t e r of traffic flow at multipl e l e v e ls of granularity to trace th e sourc e of 
an attack, with instructions to monitor furth e r comprising instructions to: 

divid e th e traffic flow into buck e ts that track counts of how many pack e ts a data coll e ctor 
or gat e way e xamin e s for a giv e n param e t e r; and 

adjust th e numb e r of buck e ts as th e numb e r of buck e ts approach e s a buck e t threshold, by 

combining s e v e ral buck e ts into f e w e r buck e ts or dividing a buck e t into mor e buck e ts. 
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23. (New) The conqjuter program product of claim 21 further comprising instructions to: 
apply multi-level analysis to monitor TCP packet ratios, repressor traffic and statistical 
information based on Layer 3-7 analysis. 

2. The following is an examiner's statement of reasons for allowance. 
The present invention is directed to a method and device for collecting 
network Information in order to detect denial of service (DOS) attacks. More 
specifically, independent claims 2, 11 and 21 identify the uniquely distinct 
features: monitoring a parameter of traffic flow at multiple levels of 
granularity to trace the source of an attack, with monitoring further 
comprising: dividing the traffic flow into buckets that track counts of how 
many packets a data collector or gateway examines for a given parameter; 
and adjusting the number of buckets as the number of buckets approaches a 
bucket threshold, by combining several buckets into fewer buckets or 
dividing a bucket into more buckets. The closest prior art, Mansfield et al. 
("Towards Trapping Wily Intruders in the Large"), also disclose a method for 
monitoring network traffic and detecting a DOS attack when the count of a 
certain type of packets reaches a threshold. However, Mansfield does not 
teach dividing the traffic flow into buckets that track counts of how many 
packets a data collector examines for a given parameter and adjusting the 
number of buckets as the number of buckets approaches a bucket threshold, 
by combining several buckets into fewer buckets or dividing a bucket into 
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more buckets. The prior art, taken either singly or in combination, fails to 
anticipate or fairly suggest the limitations of applicant's Independent claim, 
in such a manner that a rejection under 35 U.S.C 102 or 103 would be 
proper. The claimed invention is therefore considered to be in condition for 
allowance as being novel and nonobvious over prior art. 

Any comments considered necessary by applicant must be submitted 
no later than the payment of the issue fee and, to avoid processing delays, 
should preferably accompany the issue fee. Such submissions should be 
clearly labeled "Comments on Statement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Minh Dinh whose telephone number 
is 571-272-3802. The examiner can normally be reached on Mon-Fri: 
10:00am-6:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Gilberto Barron can be reached on 571-272-3799. 
The fax phone number for the organization where this application or 
proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained 
from the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either Private 
PAIR or Public PAIR. Status information for unpublished applications Is 
available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business Center 
(EBC) at 866-217-9197 (toll-free). , / 
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